Microsoft revealed on Tuesday that a large-scale phishing campaign had targeted over 10,000 organizations since September 2021 by hijacking the authentication process of Office 365. This attack was successful even on accounts that were secured with multi-factor authentication (MFA).
"The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets," the company's cybersecurity teams reported. "BEC" stands for business email compromise, and it refers to attacks in which the sender of an email is tricked into believing that the recipient is someone else
The intrusions involved the setting up of adversary-in-the-middle (AitM) phishing sites. In this type of attack, the adversary places a proxy server between a potential victim and the targeted website. This allows the adversary to redirect recipients of phishing emails to lookalike landing pages that are designed to capture credentials and MFA information.
The company offered this explanation: "The phishing page has two different Transport Layer Security (TLS) sessions—one with the target and another with the actual website the target wants to access."
"These sessions mean that the phishing page practically functions as an AitM agent, intercepting the whole authentication process and extracting valuable data from the HTTP requests such as passwords and, most importantly, session cookies," "These sessions mean that the phishing page functions as an AitM agent,"
Even in situations in which the victim had enabled MFA protections, the attackers were able to circumvent the authentication process by injecting the cookies into their own browsers. This allowed them to circumvent the authentication process.
Microsoft discovered a phishing campaign that was designed to target Office 365 users specifically by imitating the Office online authentication page. The perpetrators of the attack used the Evilginx2 phishing kit to carry out the AitM attacks.
This was accomplished by sending email messages with voice message-themed lures that were marked as having high importance. This duped the recipients into opening malware-ridden HTML attachments that redirected them to landing pages that stole their credentials.
After successfully authenticating themselves, users were eventually redirected to the official office.com website. However, this did not occur until after the perpetrators had used the AitM technique to steal the session cookies and take control of the compromised account.
The attacks did not end there because the threat actors misused their access to the mailboxes in order to commit payment fraud. They did this by employing a strategy known as email thread hijacking, which consisted of convincing parties on the other end of the conversation to illegally wire funds to accounts that were under their control.
Threat actors also created mailbox rules that automatically moved every incoming email containing the relevant domain name to the "Archive" folder and marked it as "read." This was done so that further concealment of their communications with the fraud target could be maintained.
According to a note published by Microsoft, "it took as little time as five minutes after credential and session theft for an attacker to launch their follow-on payment fraud."
It is believed that the perpetrators of the fraudulent activities used Outlook Web Access (OWA) on a Chrome browser to carry them out. Additionally, it is believed that the perpetrators deleted the initial phishing email from the account's Inbox folder as well as the follow-on communications with the target from both the Archive and Sent Items folders in order to remove any traces of their activities.
According to the findings of the researchers, "This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organizations put in place to defend themselves against potential attacks."
"Even though AiTM phishing makes an effort to get around multi-factor authentication (MFA), it is important to stress that MFA implementation is still an essential component of identity security. MFA is still very effective at preventing a wide variety of threats; in fact, its effectiveness was the impetus behind the development of AiTM phishing in the first place."
The findings come as a group of researchers from Stony Brook University and Palo Alto Networks demonstrated at the end of last year a new fingerprinting technique. This technique makes it possible to identify AitM phishing kits in the wild using a tool called PHOCA. The researchers were able to demonstrate the technique at the same time as the findings.
Post a Comment
Your suggestions and comments are welcome